Create dependabot.yml #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================ | |
| # CodeQL Advanced Security Analysis | |
| # Detects: CWEs, CVEs, Security Vulnerabilities, Code Quality Issues | |
| # ============================================================================ | |
| name: "CodeQL Advanced Security" | |
| on: | |
| push: | |
| branches: [ "main", "master", "develop" ] | |
| pull_request: | |
| branches: [ "main", "master" ] | |
| schedule: | |
| - cron: '27 9 * * 0' # Weekly on Sunday | |
| workflow_dispatch: # Manual trigger | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| # ============================================================================ | |
| # JOB 1: CodeQL SAST Analysis | |
| # ============================================================================ | |
| codeql-analysis: | |
| name: "CodeQL (${{ matrix.language }})" | |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
| timeout-minutes: 360 | |
| permissions: | |
| security-events: write | |
| packages: read | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: csharp | |
| build-mode: manual | |
| - language: java-kotlin | |
| build-mode: manual | |
| - language: javascript-typescript | |
| build-mode: none | |
| - language: python | |
| build-mode: none | |
| steps: | |
| # ======================================== | |
| # Checkout Code | |
| # ======================================== | |
| - name: π₯ Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for better analysis | |
| # ======================================== | |
| # Setup .NET (for C#) | |
| # ======================================== | |
| - name: βοΈ Setup .NET SDK | |
| if: matrix.language == 'csharp' | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 6.0.x | |
| 7.0.x | |
| 8.0.x | |
| # ======================================== | |
| # Setup Java (for Java/Kotlin) | |
| # ======================================== | |
| - name: βοΈ Setup Java JDK | |
| if: matrix.language == 'java-kotlin' | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| cache: 'maven' | |
| # ======================================== | |
| # Setup Python | |
| # ======================================== | |
| - name: βοΈ Setup Python | |
| if: matrix.language == 'python' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| cache: 'pip' | |
| # ======================================== | |
| # Setup Node.js (for JavaScript/TypeScript) | |
| # ======================================== | |
| - name: βοΈ Setup Node.js | |
| if: matrix.language == 'javascript-typescript' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| # ======================================== | |
| # Initialize CodeQL | |
| # ======================================== | |
| - name: π§ Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Enhanced security queries | |
| queries: +security-extended,security-and-quality | |
| # Custom configuration (if file exists) | |
| config-file: ./.github/codeql/codeql-config.yml | |
| # ======================================== | |
| # Build C# Projects | |
| # ======================================== | |
| - name: π¨ Build C# Project | |
| if: matrix.language == 'csharp' && matrix.build-mode == 'manual' | |
| run: | | |
| echo "π Discovering .NET projects..." | |
| find . -name "*.sln" -o -name "*.csproj" | head -10 | |
| echo "π¦ Restoring NuGet packages..." | |
| dotnet restore --verbosity minimal | |
| echo "ποΈ Building in Release mode..." | |
| dotnet build --configuration Release --no-restore --verbosity minimal \ | |
| /p:UseSharedCompilation=false \ | |
| /p:TreatWarningsAsErrors=false | |
| echo "β Build completed" | |
| # ======================================== | |
| # Build Java/Kotlin Projects | |
| # ======================================== | |
| - name: π¨ Build Java/Kotlin Project | |
| if: matrix.language == 'java-kotlin' && matrix.build-mode == 'manual' | |
| run: | | |
| echo "π Detecting build system..." | |
| if [ -f "pom.xml" ]; then | |
| echo "π¦ Maven project detected" | |
| mvn clean install -DskipTests -B -V | |
| elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then | |
| echo "π¦ Gradle project detected" | |
| chmod +x gradlew || true | |
| ./gradlew build -x test --no-daemon | |
| else | |
| echo "β οΈ No recognized build file found" | |
| fi | |
| echo "β Build completed" | |
| # ======================================== | |
| # Perform CodeQL Analysis | |
| # ======================================== | |
| - name: π¬ Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| output: sarif-results | |
| upload: true | |
| add-snippets: true | |
| # ======================================== | |
| # Upload SARIF Results | |
| # ======================================== | |
| - name: π€ Upload CodeQL SARIF | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: codeql-sarif-${{ matrix.language }} | |
| path: sarif-results | |
| retention-days: 30 | |
| # ============================================================================ | |
| # JOB 2: Dependency Scanning (CVE Detection) | |
| # ============================================================================ | |
| dependency-scan: | |
| name: "Dependency & CVE Scan" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: βοΈ Setup .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: '8.0.x' | |
| # ======================================== | |
| # Scan .NET Dependencies | |
| # ======================================== | |
| - name: π Scan .NET Dependencies for CVEs | |
| continue-on-error: true | |
| run: | | |
| echo "π Scanning .NET dependencies for known vulnerabilities..." | |
| dotnet list package --vulnerable --include-transitive 2>&1 | tee dotnet-vulnerabilities.txt | |
| if grep -q "has the following vulnerable packages" dotnet-vulnerabilities.txt; then | |
| echo "::warning::Vulnerable .NET dependencies detected!" | |
| else | |
| echo "β No known vulnerabilities in .NET dependencies" | |
| fi | |
| # ======================================== | |
| # Generate SBOM | |
| # ======================================== | |
| - name: π Generate SBOM | |
| continue-on-error: true | |
| run: | | |
| echo "π Generating Software Bill of Materials..." | |
| dotnet tool install --global CycloneDX | |
| dotnet CycloneDX . -o . -f sbom.json | |
| echo "β SBOM generated" | |
| - name: π€ Upload SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| retention-days: 90 | |
| # ======================================== | |
| # Dependency Review (for PRs) | |
| # ======================================== | |
| - name: π Dependency Review | |
| if: github.event_name == 'pull_request' | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate | |
| deny-licenses: GPL-2.0, GPL-3.0 | |
| - name: π€ Upload Dependency Reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: dependency-reports | |
| path: dotnet-vulnerabilities.txt | |
| retention-days: 30 | |
| # ============================================================================ | |
| # JOB 3: Secret Scanning | |
| # ============================================================================ | |
| secret-scan: | |
| name: "Secret Detection" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # ======================================== | |
| # Gitleaks Secret Scan | |
| # ======================================== | |
| - name: π Gitleaks Secret Scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # ======================================== | |
| # TruffleHog Secret Scan | |
| # ======================================== | |
| - name: π TruffleHog Secret Scan | |
| continue-on-error: true | |
| run: | | |
| echo "π Running TruffleHog..." | |
| docker pull trufflesecurity/trufflehog:latest | |
| docker run --rm -v "$PWD:/scan" trufflesecurity/trufflehog:latest \ | |
| filesystem /scan --json --no-update > trufflehog-results.json || true | |
| - name: π€ Upload Secret Scan Results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: secret-scan-results | |
| path: trufflehog-results.json | |
| retention-days: 30 | |
| # ============================================================================ | |
| # JOB 4: Malware Scanning | |
| # ============================================================================ | |
| malware-scan: | |
| name: "Malware Detection" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout repository | |
| uses: actions/checkout@v4 | |
| # ======================================== | |
| # ClamAV Malware Scan | |
| # ======================================== | |
| - name: π¦ ClamAV Malware Scan | |
| continue-on-error: true | |
| run: | | |
| echo "π¦ Installing ClamAV..." | |
| sudo apt-get update | |
| sudo apt-get install -y clamav | |
| echo "π₯ Updating virus definitions..." | |
| sudo systemctl stop clamav-freshclam || true | |
| sudo freshclam | |
| echo "π Scanning for malware..." | |
| clamscan -r --bell -i . | tee clamav-scan.txt | |
| if grep -q "Infected files: 0" clamav-scan.txt; then | |
| echo "β No malware detected" | |
| else | |
| echo "::error::Malware detected!" | |
| exit 1 | |
| fi | |
| - name: π€ Upload Malware Scan Results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: malware-scan-results | |
| path: clamav-scan.txt | |
| retention-days: 30 | |
| # ============================================================================ | |
| # JOB 5: Additional SAST Tools | |
| # ============================================================================ | |
| additional-sast: | |
| name: "Additional SAST" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout repository | |
| uses: actions/checkout@v4 | |
| # ======================================== | |
| # Semgrep SAST | |
| # ======================================== | |
| - name: π Semgrep SAST Scan | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: >- | |
| p/security-audit | |
| p/secrets | |
| p/owasp-top-ten | |
| p/cwe-top-25 | |
| # ======================================== | |
| # Bandit (Python) | |
| # ======================================== | |
| - name: π Bandit Python Security Scan | |
| if: hashFiles('**/*.py') != '' | |
| continue-on-error: true | |
| run: | | |
| pip install bandit | |
| bandit -r . -f json -o bandit-results.json || true | |
| - name: π€ Upload SAST Results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: additional-sast-results | |
| path: bandit-results.json | |
| retention-days: 30 | |
| # ============================================================================ | |
| # JOB 6: Security Summary Report | |
| # ============================================================================ | |
| security-summary: | |
| name: "Security Summary" | |
| runs-on: ubuntu-latest | |
| needs: [codeql-analysis, dependency-scan, secret-scan, malware-scan, additional-sast] | |
| if: always() | |
| steps: | |
| - name: π Generate Security Summary | |
| run: | | |
| echo "# π Security Scan Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## π Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Security Check | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|---------------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| π CodeQL SAST | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| π¦ Dependency Scan | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| π Secret Detection | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| π¦ Malware Scan | ${{ needs.malware-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| π¬ Additional SAST | ${{ needs.additional-sast.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## π― Coverage" >> $GITHUB_STEP_SUMMARY | |
| echo "β **CWE Detection** - Code vulnerabilities" >> $GITHUB_STEP_SUMMARY | |
| echo "β **CVE Detection** - Dependency vulnerabilities" >> $GITHUB_STEP_SUMMARY | |
| echo "β **Secret Detection** - API keys, passwords" >> $GITHUB_STEP_SUMMARY | |
| echo "β **Malware Detection** - Viruses, trojans" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "π View detailed results in Security tab" >> $GITHUB_STEP_SUMMARY |